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Background 


The Information Commissioner is responsible for enforcing and promoting 
compliance with the UK General Data Protection Regulation (UK GDPR), 
the Data Protection Act 2018 (DPA18), the Privacy and Electronic 
Communications Regulations (PECR) and other data protection legislation. 
Section 146 of the DPA18 provides the Information Commissioner’s Office 
(ICO) with the power to conduct compulsory audits through the issue of 
assessment notices. Section 129 of the DPA18 allows the ICO to carry out 
consensual audits. The ICO sees auditing as a constructive process with 
real benefits for controllers and so aims to establish a participative 
approach. 


The ICO’s Investigations team ran an investigation between 2017 and 
2020 following a number of complaints received from data subjects via 
the Telephone Preference Service (TPS) and ICO’s own online reporting 
tool. The investigation was focussed on a organisations who were making 
marketing calls using a range of generic and fictitious company names or 
misusing the names of other genuine companies. By masking their true 
identity data subjects were prohibited from making complaints directly to 
these companies and their rights and freedoms provided in data 
protection legislation were significantly undermined. 


United Legal Assistance Ltd (ULA) did not form part of the initial 
investigation however, they were found to be a recipient of personal data 
obtained as a result of the unlawful collection and compiling of bulk 
marketing lists. The ICO wrote to ULA in August 2020 outlining their initial 
concerns, particularly in regard to PECR regulation 21. 


ULA provided responses to ICO enquiries over a further series of 
correspondence and also confirmed that they had implemented additional 
measures to improve their data protection practices. 


The ICO wrote to ULA in August 2021 to invite them to take part ina 
consensual audit. The audit took place during the week beginning 4 
October 2021. 


The scope of the audit covered the following key control areas: 


Governance 

Sourcing personal data 
Transparency 

Lawful basis for processing 
Data supply and sharing 


The purpose of the audit was to provide the Information Commissioner 
with an assurance of the extent to which ULA, within the scope of the 
audit, is complying with data protection legislation. 


Priority of recommendations summary 


Where opportunities for improvement were identified recommendations 
have been made, primarily around enhancing existing processes to 
facilitate compliance with data protection legislation. In order to assist 
ULA in implementing the recommendations, each has been assigned a 
priority rating based upon the risks that they are intended to address. The 
ratings are assigned based upon the ICO’s assessment of the risks 
involved. ULA’s priorities and risk appetite may vary and, therefore, they 
should undertake their own assessments of the risks identified. 


A summary of the ratings assigned within this report is shown below. 


Priority Ratings Summary 


a Urgent = High = Medium 


The pie chart above shows a breakdown of the priorities assigned to the 
recommendations made. There are 14 urgent, three high and one 
medium priority recommendations. 


Urgent priority recommendations are intended to address risks which 
represent clear and immediate risks to ULA’s ability to comply with the 
requirements of data protection legislation. 


Areas for Improvement 


The ICO are encouraged by the improvements to data protection practices 
made by ULA since the initial contact in August 2020 including; 


The requirement for all staff to complete annual data protection 
training. 

The additional due diligence conducted on service which providers 
further assurance that there use of personal data will be compatible 
with the purposes for which it was originally collected. 

Due diligence carried out on introducing insurance brokers which 
provides assurance that personal data has been collected and 
shared lawfully. 

Proactively restricting the amount of personal data processed to 
what is necessary. 


However, the audit identified some areas where further improvements are 
required to achieve compliance with data protection legislation. 


There is a limited technical understanding of the UK GDPR within 
ULA. This means that, even where there is a desire to improve and 
achieve compliance, internal policy and implemented measures may 
not meet statutory requirements. 

Published privacy information is not fully compliant with Article 13 
of the UKGDPR and all relevant information is not available to data 
subjects at the time their personal data are collected. 

ULA do not meet the requirements for some lawful bases selected 
and therefore do not have an appropriate lawful basis for all of their 
processing activities. Some processing does not have a documented 
lawful basis. Without appropriate lawful bases ULA will; be 
processing personal data unlawfully; be unable to provide clear 
transparency information to data subjects; and undermine the 
rights afforded to data subjects within data protection legislation. 


Appendices 


Appendix One - Recommendation Priority Ratings Description 


Urgent Priority Recommendations - 


These recommendations are intended to address risks which 
represent clear and immediate risks to the data controller’s ability 
to comply with the requirements of data protection legislation. 


The matters arising in this report are only those that came to our attention 
during the course of the audit and are not necessarily a comprehensive 
statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, 
governance and internal control arrangements in place rest with the 
management of United Legal Assistance Ltd. 


We take all reasonable care to ensure that our audit report is fair and accurate 
but cannot accept any liability to any person or organisation, including any 
third party, for any loss or damage suffered or costs incurred by it arising out 
of, or in connection with, the use of this report, however such loss or damage is 
caused. We cannot accept liability for loss occasioned to any person or 
organisation, including any third party, acting or refraining from acting as a 
result of any information contained in this report. 


